Attackers are reportedly using the Google Cloud App Engine platform to deliver malware with PDF decoys, identified as PDF_Phish.Gen, and GCP URLs that redirect victims to malicious payloads.

*UPDATE* A Google spokesperson wrote to Infosecurity, “As of January 18, 2019, the issue described in this report has been fixed. Protecting our customers from phishing attacks is a top priority for Google. We proactively warn users whenever they are being redirected to a URL outside of a Google domain. Additionally, if a user attempts to proceed to an untrusted site, we warn them of known malicious URLs through Google Safe Browsing filters.”

The research conducted by the team verified evidence of these attacks targeting governments and financial firms worldwide, with multiple decoys possibly linked to the Cobalt Strike advanced persistent threat (APT) group.

The team reportedly detected several targeted attacks predominantly in the banking and finance sector, all of which were EML files that carried an .eml extension and contained the same detection name, which triggered alerts.

“This targeted attack is more convincing than the traditional attacks because the decoy deceives the victim with a GoogleApp Engine URL which is abused to redirect the victim to the malware. As the payload seems to be originating from a trusted source, the chance of falling victim to such attacks is very likely,” researchers wrote.

Though PDF readers typically warn users about potential security risks with document that are connects to a website, researchers said, “Once 'remember this action for this site' is checked for a domain, this feature allows any URL within the domain without any prompt.” Leveraging this default option allows the attacker to successful execute multiple attacks without prompting the security alert.

Each of the files used in the attack reportedly downloaded Microsoft Word documents with obfuscated macro code or PDF documents as the second-stage payload.

“The PDF decoy detected in our customer instances downloaded a word document named 'Doc102018.doc' containing obfuscated macro code...On execution, the victim is presented with a message to enable editing and content mode to view the document,” the report said.

The research suggests that continued adoption of the platform will create an increased cyber-attack surface where hackers can target the infrastructure.

* January 26 - This article was updated to include comment from Google spokesperson.